Determining advertising activity

ABSTRACT

A system may obtain a first group of information when an advertising link is requested and a second group of information when the advertising link is selected. The system may further detect illegitimate advertising-related activity based on the first group of information and the second group of information.

RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No. 11/170,134, filed Jun. 30, 2005, now U.S. Pat. No. 7,712,141, the disclosure of which is incorporated herein by reference.

FIELD OF THE INVENTION

Implementations consistent with the principles of the invention relate generally to advertising and, more particularly, to the processing of advertising information.

BACKGROUND OF THE INVENTION

An on-line advertising system may provide advertising links (also referred to as “impressions” hereinafter) to users when they visit certain web pages. When a particular advertising link is of interest to a user, a user may select (or click) the advertising link, which may cause the user's web browser to visit a web page belonging to the advertiser associated with the advertising link. This selection of an advertising link by a user is commonly referred to as a “click.”

On-line advertising systems often track impressions and clicks, and calculate charges based thereon. For example, an on-line advertising system may calculate a charge based, at least in part, on the clicks that an advertising link receives. Charges may also be calculated based on other characteristics as well, such as time of day, location of the user, age or other demographic information associated with the user, or the like.

On-line advertising systems may charge companies a predetermined fee for each click or impression associated with the companies' advertisements. The on-line advertising system may also pay a fee to the web publisher that displays an advertising link for each click that the advertising link receives or each advertising link impression. These types of fee approaches are vulnerable to attacks where malicious individuals inflate a company's advertising link click count or impression count. For example, malicious individuals may continually cause the company's advertisement(s) to be displayed, physically click on the company's advertisement(s), and/or write programs (often called click-bots or impression-bots) that automatically generate page views and/or clicks. These click-bots can be configured to mimic real network traffic by specifying parameters, such as clicks to page view distributions, geographic locations and network addresses, amount of traffic by days of the week and time of day, etc.

When malicious advertising activity occurs, a company may be charged for clicks or impressions that do not correspond to actual (or real) users. This can result in inaccurate fees being charged for advertising services. In those situations where web publishers are paid a fee each time a displayed advertising link is clicked or displayed, the web publishers themselves may use bots or malicious individuals to increase their revenue from the on-line advertising systems.

SUMMARY OF THE INVENTION

In accordance with one implementation consistent with the principles of the invention, a device may include logic to provide a group of advertising links; logic to obtain a first group of information when the group of advertising links is provided; logic to obtain a second group of information when an advertising link in the group of advertising links is selected; and logic to detect illegitimate activity based on the first group of information and the second group of information.

In another implementation consistent with the principles of the invention, a method may include obtaining a first group of information when an advertising link is requested, obtaining a second group of information when the advertising link is selected, and detecting illegitimate advertising-related activity based on the first group of information and the second group of information.

In yet another implementation consistent with the principles of the invention, a method may include collecting a group of information over a period of time, where the group of information is collected when at least one of an advertising link is requested or an advertising link is selected; generating a distribution based on the collected group of information; comparing the generated distribution to a stored distribution that reflects normal activity; and determining that illegitimate advertising-related activity occurred in the period of time when the generated distribution differs substantially from the stored distribution.

In still another implementation consistent with the principles of the invention, a method may include receiving a request for an advertising link; collecting a first group of information in response to the request, where the first group of information includes at least two of browser information, information relating to a device to which the advertising link is provided, or information relating to a user associated with the device; determining that the advertising link has been selected; obtaining a second group of information in response to the determining, where the second group of information includes the at least two of browser information, information relating to the device to which the advertising link is provided, or information relating to the user associated with the device; comparing the second group of information to the first group of information; and determining a presence of illegitimate activity when the second group of information does not match the first group of information.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an implementation of the invention and, together with the description, explain the invention. In the drawings,

FIG. 1 is an exemplary diagram of a network in which systems and methods consistent with the principles of the invention may be implemented;

FIG. 2 is an exemplary diagram of the advertising system of FIG. 1 in an implementation consistent with the principles of the invention;

FIG. 3 is a flow chart of an exemplary process for detecting illegitimate advertising click activity in an implementation consistent with the principles of the invention;

FIG. 4 is an exemplary document in an implementation consistent with the principles of the invention; and

FIG. 5 is a flow chart of an exemplary process for detecting illegitimate advertising activity in another implementation consistent with the principles of the invention.

DETAILED DESCRIPTION

The following detailed description of implementations consistent with the principles of the invention refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. Also, the following detailed description does not limit the invention.

Overview

Implementations consistent with the principles of the invention detect illegitimate advertising activity. In this way, advertising-related charges can be more accurately determined.

When a user accesses a document for which advertising links are provided, an advertisement query request may be generated. As the name suggests, an advertisement query request requests that certain advertising links be retrieved for display with the accessed document. For example, if a user accesses a document relating to flowers, an advertising query request may be generated to retrieve advertising links that relate to the content of the document (i.e., flowers).

If the user then selects one of the retrieved advertising links (e.g., by clicking on an advertising link), a document corresponding to the advertisement may be retrieved and presented to the user. In addition, an advertisement click request may be generated. The advertisement click request may report that an advertising link that was previously retrieved by an advertisement query request was selected by the user.

In an exemplary implementation consistent with the principles of the invention, information may be obtained in connection with the advertisement query request and advertisement click request. For example, browser information, client information, and/or user information may be collected with both the advertisement query request and the advertisement click request. The information collected with the advertisement query request may be compared to the information collected with the advertisement click request. If the information collected with the advertisement query request matches the information collected with the advertisement click request, this may indicate that the advertising activity is legitimate (i.e., that the advertising link may have been selected by a legitimate user). Alternatively, if the information collected with the advertisement query request does not match the information collected with the advertisement click request, this may indicate that the advertising activity is illegitimate (e.g., the selection of the advertising link may have been performed by a click-bot). In this way, illegitimate advertising link selections may be detected.

A “document,” as the term is used herein, is to be broadly interpreted to include any machine-readable and machine-storable work product. A document may include, for example, an e-mail, a web site, a file, a combination of files, one or more files with embedded links to other files, a news group posting, a blog, a web advertisement, etc. In the context of the Internet, a common document is a web page. Web pages often include textual information and may include embedded information (such as meta information, images, hyperlinks, etc.) and/or embedded instructions (such as Javascript, etc.). A “link,” as the term is used herein, is to be broadly interpreted to include any reference to/from a document from/to another document or another part of the same document.

Exemplary Network

FIG. 1 is an exemplary diagram of a network 100 in which systems and methods consistent with the principles of the invention may be implemented. Network 100 may include multiple clients 110, an advertising system 120, and servers 130 connected via a network 140. Network 140 may include a local area network (LAN), a wide area network (WAN), a telephone network, such as the Public Switched Telephone Network (PSTN), an intranet, the Internet, or a combination of similar or dissimilar networks. Two clients 110, one advertising system 120, and two servers 130 have been illustrated as connected to network 140 in FIG. 1 for simplicity. In practice, there may be more or fewer clients 110, advertising systems 120, and/or servers 130. Also, in some instances, a client 110 may perform one or more of the functions of advertising system 120 and/or server 130 and vice versa.

Clients 110 may include client entities. An entity may be defined as a device, such as a personal computer, a wireless telephone, a personal digital assistant (PDA), a lap top, or another type of computation or communication device, a thread or process running on one of these devices, and/or an object executable by one of these devices. Advertising system 120 may include a server entity that maintains and provides advertising links. Servers 130 may include server entities that gather, process, search, and/or maintain documents in a manner consistent with the principles of the invention. Clients 110, advertising system 120, and servers 130 may connect to network 140 via wired, wireless, and/or optical connections.

In an implementation consistent with the principles of the invention, servers 130 may optionally include a search engine (not shown) usable by clients 110. Servers 130 may crawl documents (e.g., web pages) and store information associated with these documents in a repository of crawled documents. While advertising system 120 and servers 130 are shown as separate entities, it may be possible for one or more of servers 130 to perform one or more of the functions of advertising system 120, and vice versa. For example, it may be possible to implement advertising system 120 and one or more of servers 130 as a single server. It may also be possible to implement advertising system 120 as multiple, possibly distributed, entities.

Exemplary Advertising System Configuration

FIG. 2 is an exemplary diagram of advertising system 120 in an implementation consistent with the principles of the invention. Clients 110 and servers 130 may be similarly configured. Advertising system 120 may include a bus 210, a processor 220, a main memory 230, a read only memory (ROM) 240, a storage device 250, an input device 260, an output device 270, and a communication interface 280. Bus 210 may include a path that permits communication among the components of advertising system 120.

Processor 220 may include any type of conventional processor, microprocessor, or processing logic that interprets and executes instructions. Main memory 230 may include a random access memory (RAM) or another type of dynamic storage device that stores information and instructions for execution by processor 220. ROM 240 may include a conventional ROM device or another type of static storage device that stores static information and instructions for use by processor 220. Storage device 250 may include a magnetic and/or optical recording medium and its corresponding drive.

Input device 260 may include a conventional mechanism that permits an operator to input information to advertising system 120, such as a keyboard, a mouse, a pen, a biometric mechanism, such as a voice recognition device, etc. Output device 270 may include a conventional mechanism that outputs information to the operator, including a display, a printer, a speaker, etc. Communication interface 280 may include any transceiver-like mechanism that enables advertising system 120 to communicate with other devices and/or systems. For example, communication interface 280 may include mechanisms for communicating with another device or system via a network, such as network 140.

As will be described in detail below, advertising system 120, consistent with the principles of the invention, may detect illegitimate advertising activity. Advertising system 120 may perform this and other operations in response to processor 220 executing software instructions contained in a computer-readable medium, such as memory 230. A computer-readable medium may be defined as a physical or logical memory device and/or carrier wave. The software instructions may be read into memory 230 from another computer-readable medium, such as data storage device 250, or from another device via communication interface 280. The software instructions contained in memory 230 may cause processor 220 to perform processes that will be described later. Alternatively, hardwired circuitry may be used in place of or in combination with software instructions to implement processes consistent with the principles of the invention. Thus, implementations consistent with the principles of the invention are not limited to any specific combination of hardware circuitry and software.

Exemplary Processing

FIG. 3 is a flow chart of an exemplary process for detecting illegitimate advertising click activity in an implementation consistent with the principles of the invention. Processing may begin by receiving an advertisement query request (act 310). In one implementation, the advertisement query request may be generated in response to a user accessing a document, such as a web page, with which advertising links are associated. For example, if a user accesses a document that provides advertising links, an advertisement query request may be generated when the user requests access to the document. In one implementation, the advertisement query request may be automatically generated via the browser used by client 110. The browser may execute a piece of code, which may cause the advertisement query request to be generated in response to client 110's request for the document. Each advertising link that is returned in response to the advertisement query request may be associated with an identifier that uniquely identifies the advertising link for this particular transaction (i.e., for this particular user's request for the document and the provisioning of the document and associated advertising links).

The advertisement query request may include information for identifying which advertising links to retrieve for the accessed document. In one implementation, the advertisement query request may include information that causes advertising links that relate to the content of the document accessed by the user to be retrieved. In this situation, the advertising links may relate to the content of the document. For example, if a user of client 110 accesses a document relating to flowers, advertising links relating to buying flowers over the Internet may be provided. The selection of appropriate advertising links to provide may, for example, be determined by identifying a keyword that represents the content of the document and using the keyword to select the appropriate advertising links. One technique for providing an advertising link based, at least in part, on the content of a document (or web page) is described in U.S. patent application Ser. No. 10/375,900, entitled “Serving Advertisements Based on Content,” and filed Feb. 26, 2003, the entire contents of which are expressly incorporated herein by reference.

Information associated with the advertisement query request may be obtained (act 320). For example, in an implementation consistent with the principles of the invention, the information may include browser information, client information, and/or user information. In one implementation, the browser information may include information relating to the browser used by a client 110 to access the document. The browser information may include, for example, the type of browser being used, the version of the browser being used, information identifying whether java is enabled for the particular browser, information relating to the plugins installed on the browser (e.g., the number of plugins that have been installed, the type of plugins, the plugins' versions, etc.), the browser's history length, the number of Multipurpose Internet Mail Extensions (MIMEs) associated with the browser, the browser's window width and height, the language associated with the browser, the browser's javascript version, the header order of messages sent by the browser (i.e., the order in which the browser sends various Hyper Text Transfer Protocol (HTTP) information), and/or other type of browser information. The client information may include information relating to the particular client 110 used by the user to access the document. The client information may include, for example, an Internet Protocol (IP) address associated with client 110, the screen size of client 110, screen width, screen depth, color resolution, a clock time associated with client 110, a time zone in which client 110 is located, a type of operating system running on client 110, and/or other type of client information. The user information may include information relating to the user that uses client 110 to access the document. The user information may include, for example, cookie information and/or other user information.

The information relating to the advertisement query request may be obtained in various ways. For example, in one implementation consistent with the principles of the invention, the information may be obtained via the browser used by client 110. The browser may execute a piece of code, which may cause a predetermined combination of the above browser/client/user information to be collected. The information that is collected may include a number of different browser information items, a number of different client information items, and/or a number of different user information items. Some of the information may also be collected as part of client 110's standard request for the document. For example, an IP address may be collected, as well as browser information and HTTP header information. It will be appreciated that other techniques can be used for collecting browser information, client information, and/or user information.

An advertisement click request may be received in those situations when the user selects one of the advertising links retrieved in response to accessing the document (act 330). In one implementation, the advertisement click request may be automatically generated via the browser used by client 110. The browser may execute a piece of code, which may cause the advertisement click request to be generated in response to the user's selection of an advertising link in the document. The advertisement click request may include information identifying the selected advertising link. For example, the advertisement click request may include the unique identifier that is associated with the selected advertising link.

Information associated with the advertisement click request may be obtained (act 340). For example, in an implementation consistent with the principles of the invention, the information may include browser information, client information, and/or user information (denoted as “browser/client/user information” hereinafter). In one implementation, the browser/client/user information may include the same combination of browser/client/user information that was obtained in connection with the advertisement query request.

As set forth above, the browser information may include information relating to the browser used by a client 110 to access the document. The browser information may include, for example, the type of browser being used, the version of the browser being used, information identifying whether java is enabled for the particular browser, information relating to the plugins installed on the browser (e.g., the number of plugins that have been installed, the type of plugins, the plugins' versions, etc.), the browser's history length, the number of Multipurpose Internet Mail Extensions (MIMEs) associated with the browser, the browser's window width and height, the language associated with the browser, the browser's javascript version, the header order of messages sent by the browser (i.e., the order in which the browser sends various Hyper Text Transfer Protocol (HTTP) information), and/or other type of browser information. The client information may include information relating to the particular client 110 used by the user to access the document. The client information may include, for example, an IP address associated with client 110, the screen size of client 110, screen width, screen depth, color resolution, a clock time associated with client 110, a time zone in which client 110 is located, a type of operating system running on client 110, and/or other type of client information. The user information may include information relating to the user that uses client 110 to access the document. The user information may include, for example, cookie information and/or other user information.

The information relating to the advertisement click request may be obtained in various ways. For example, in one implementation consistent with the principles of the invention, the information may be obtained via the browser used by client 110. The browser may execute a piece of code, which may cause a predetermined combination of the above browser/client/user information to be collected. The information that is collected may include the same type of information that is collected in connection with the advertisement query request. Some of the information may also be collected as part of client 110's standard request for a document corresponding to the selected advertising link. For example, an IP address may be collected, as well as browser information and HTTP header information. It will be appreciated that other techniques can be used for collecting browser information, client information, and/or user information.

Some or all of the information obtained in connection with the advertisement query request may be compared to the information obtained in connection with the advertisement click request (act 350). For example, if, in connection with the advertisement query request, the type of plugins installed in the browser is obtained, along with an IP address for the user, then this browser and user information may be compared to the type of plugins installed in the browser and the IP address that is obtained at the time that the user clicks on (or selects) an advertising link. In some implementations, the browser/client/user information for the advertisement query request and the browser/client/user information for the advertisement click request may be stored and compared at some later point in time. In such an event, the appropriate browser/client/user information for the advertisement query request and the browser/client/user information for the advertisement click request may be identified based on the unique identifier associated with the advertising link that was selected.

If the information obtained in connection with the advertisement query request matches the information obtained in connection with the advertisement click request, then it may be determined that legitimate activity is present (act 360). That is, a click-bot was likely not used to select advertising links. Other processing may be performed in this situation to verify that the activity is actually legitimate.

If, on the other hand, the information obtained in connection with the advertisement query request does not match the information obtained in connection with the advertisement click request, then it may be determined that illegitimate activity is present (act 370). That is, a click-bot was likely used to select the advertising link. In this event, remedial measures may be taken. For example, a fee paid to a web publisher that provides the advertising links may be reduced and/or a charge to a company associated with the advertising link may be reduced.

The following example illustrates the above processing. FIG. 4 is an exemplary document 400 in an implementation consistent with the principles of the invention. Document 400 may be accessed, for example, by typing in the uniform resource locator (URL) “car-repair-place.com” or in response to a search query. In the example illustrated in FIG. 4, the content of document 400 relates to car repair.

As illustrated, document 400 may provide a number of advertising links 410. Advertising links 410 may be retrieved in response to an advertisement query request that is automatically generated when a user requests access to document 400. Advertising links 410 may be chosen based on, for example, the content of document 400 (car repair in this example), the geographical area of the user, and/or other criteria.

As set forth above, when the user requests access to document 400, an advertisement query request may be generated to retrieve advertising links 410 for document 400. In addition, a combination of browser information, client information, and/or user information may be collected. Assume, for explanatory purposes, that the following combination of information is collected—that the browser being used is Netscape, that the browser has java enabled, that the time zone in which client 110 is located is the Eastern time zone, and that the IP address is 100.100.10.10.

When an advertising link 410 is selected, an advertising click request may be generated to report the selection of the advertising link. In addition, the same type of browser information, client information, and/or user information that was collected in relation to the user requesting access to document 400 may again be collected when the user selects an advertising link 410. Assume, for this example, that the following combination of information is collected when advertising link 410 is selected—that the browser being used is Internet Explorer, that the browser does not have java enabled, that the time zone in which client 110 is located is the Western time zone, and that the IP address is 111.111.11.11.

The two sets of browser information, client information, and/or user information may be compared. If the two sets do not match, then it may be determined that illegitimate advertising activity is present. In the example above, the browser/client/user information collected when the user requested access to document 400 does not match the browser/client/user information collected when the user selected an advertising link 410. Therefore, in the example above, it would be determined that illegitimate advertising activity is present. Remedial measures may then be taken, such as reducing a fee paid to a web publisher.

While the above example depicted an extreme case where no information in the sets matched, it will be appreciated that this need not be the case for determining that illegitimate activity is present. For example, assume that the following combination of information is alternatively collected when advertising link 410 is selected—that the browser being used is Netscape, that the browser has java enabled, that the time zone in which client 110 is located is the Eastern time zone, and that the IP address is 100.111.10.10.

When the two sets of browser information, client information, and/or user information are compared, it may be determined that illegitimate advertising activity is present since the browser/client/user information collected when the user requested access to document 400 does not match the browser/client/user information collected when the user selected an advertising link 410.

As a final example, assume that that the following combination of information is alternatively collected when advertising link 410 is selected—that the browser being used is Netscape, that the browser has java enabled, that the time zone in which client 110 is located is the Eastern time zone, and that the IP address is 100.100.10.10.

When the two sets of browser information, client information, and/or user information are compared, it may be determined that legitimate advertising activity may be present since the browser/client/user information collected when the user requested access to document 400 matches the browser/client/user information collected when the user selected an advertising link 410.

While the above description focuses on comparing a combination of browser/client/user information collected when access to a document is requested to a combination of browser/client/user information collected when an advertising link in the document is selected to detect illegitimate activity, implementations consistent with the principles of the invention are not so limited. For example, in other implementations consistent with the principles of the invention, the detection of illegitimate activity may be based on a distribution of browser/client/user information.

FIG. 5 is a flowchart of an exemplary process for detecting illegitimate advertising activity in another implementation consistent with the principles of the invention. Processing may begin by collecting legitimate browser/client/user information over a period of time for advertisement query requests and advertisement click requests. A distribution of legitimate browser/client/user information may be generated and stored based on the collected information. Thereafter, at predetermined intervals, browser/client/user information may be collected when access to a document is requested and/or when an advertising link in the document is selected and a distribution determined (act 510). The distribution of browser/client/user information collected during a time interval may be compared to the stored distribution of legitimate browser/client/user information (acts 520 and 530). If the obtained distribution approximately matches (e.g., within some threshold) the stored distribution (act 530), then it may be determined that legitimate activity may be present (act 540). If, on the other hand, the obtained distribution substantially differs from the stored distribution (e.g., outside some threshold), then it may be determined that illegitimate activity may be present during the time period (e.g., a click-bot or impression-bot may have been used for advertising link selections and/or impressions) (act 550). In this event, remedial measures may be taken. For example, a fee paid to a web publisher that provides the advertising links may be reduced.

CONCLUSION

Implementations consistent with the principles of the invention detect illegitimate advertising activity. In this way, advertising-related charges can be more accurately determined.

The foregoing description of exemplary embodiments of the invention provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention. For example, one or more of the acts described with respect to FIG. 3 or 5 may be performed by advertising system 120 or another device (or combination of devices). In one implementation, one or more of the acts described with respect to FIG. 3 or 5 may be performed by a client 110 or a server, such as one of servers 130. For example, a browser assistant (i.e., software that operates in conjunction with a conventional web browser which is sometimes referred to as toolbar software) may perform one or more of the acts described with respect to the processing of FIG. 3 or 5.

Moreover, while series of acts have been described with regard to FIGS. 3 and 5, the order of the acts may be varied in other implementations consistent with the invention. Moreover, non-dependent acts may be implemented in parallel.

It will also be apparent to one of ordinary skill in the art that aspects of the invention, as described above, may be implemented in many different forms of software, firmware, and hardware in the implementations illustrated in the figures. The actual software code or specialized control hardware used to implement aspects consistent with the principles of the invention is not limiting of the invention. Thus, the operation and behavior of the aspects of the invention were described without reference to the specific software code—it being understood that one of ordinary skill in the art would be able to design software and control hardware to implement the aspects based on the description herein.

Further, certain portions of the invention may be implemented as “logic” that performs one or more functions. This logic may include hardware, such as an application specific integrated circuit or a field programmable gate array, software, or a combination of hardware and software.

No element, act, or instruction used in the description of the invention should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Where only one item is intended, the term “one” or similar language is used. Further, the phrase “based on” is intended to mean “based, at least in part, on” unless explicitly stated otherwise. 

1. A method, performed by one or more processors associated with one or more server devices, the method comprising: receiving, by one or more processors associated with the one or more server devices, a request for an advertising link; providing, by one or more processors associated with the one or more server devices, and in response to the request, an advertising link to a client device; obtaining, by one or more processors associated with the one or more server devices, a first group of information, in response to the request, where the first group of information is obtained before the one or more server devices receive an indication that the client device has selected the advertising link; receiving, by one or more processors associated with the one or more server devices, an indication that the client device has selected the advertising link; obtaining, by one or more processors, a second group of information, associated with the client device or a user of the client device, in response to receiving the indication; and identifying, by one or more processors associated with the one or more server devices, a presence of illegitimate activity based on a comparison of at least a portion of the first group of information and at least a portion of the second group of information.
 2. The method of claim 1, where the identifying further includes: identifying illegitimate activity when the at least a portion of the first group of information and the at least a portion of the second group of information do not match.
 3. The method of claim 1, where the request for an advertising link includes: information identifying an advertising link associated with a document.
 4. The method of claim 1, further including: adjusting, when illegitimate activity is determined to be present, a fee paid or charged to a web publisher associated with the advertising link.
 5. The method of claim 1, where the first group of information and the second group of information each includes at least one of: information associated with a browser that is associated with the client device, information associated with the client device to which the advertising link is to be provided, or information associated with the user, of the client device, to which the advertising link is to be provided.
 6. The method of claim 5, where the information associated with the browser that is associated with the client device includes: at least one of a browser type, a browser version, information identifying whether Java® is enabled for the browser, information relating to a plugin installed on the browser, a length of a history associated with the browser, a number of Multipurpose Internet Mail Extensions (MIMEs) associated with the browser, a window width of a user interface associated with the browser, a window height of a user interface associated with the browser, a language associated with the browser, a JavaScript® version associated with the browser, or an order of a header of messages transmitted by the browser.
 7. The method of claim 5, where the information associated with the client device includes: at least one of an Internet Protocol (IP) address associated with the client device, a screen size associated with the client device, a screen width associated with the client device, a screen depth associated with the client device, a color resolution associated with the client device, a clock time associated with the client device, a time zone in which client device is located, or a type of operating system running on the client device.
 8. The method of claim 5, where the information associated with the user includes cookie information.
 9. A server, including one or more computers on a network, the server comprising: a processor; a memory to store instructions that when executed by the processor, cause the processor to: provide a group of advertising links to a client device; obtain, from the client device, and before the server receives an indication that an advertising link, of the group of advertising links, is selected, a first group of information associated with the client device or a user of the client device; receive a selection of the advertising link; obtain, from the client device, and in response to the selection of the advertising link, a second group of information associated with the client device or the user of the client device; and identify illegitimate activity when a comparison of the first group of information and the second group of information indicates that at least a portion of the first group of information and at least a portion of the second group of information do not match.
 10. The server of claim 9, where the first group of information and the second group of information each includes at least one of: information associated with a browser that is associated with the client device, information associated with the client device to which the advertising link is to be provided, or information associated with the user to which the advertising link is to be provided.
 11. The server of claim 10, where the information associated with the browser that is associated with the client device includes: at least one of a browser type, a browser version, information identifying whether Java® is enabled for the browser, information relating to a plugin installed on the browser, a length of a history associated with the browser, a number of Multipurpose Internet Mail Extensions (MIMEs) associated with the browser, a window width of a user interface associated with the browser, a window height of a user interface associated with the browser, a language associated with the browser, a JavaScript® version associated with the browser, or an order of a header of messages transmitted by the browser.
 12. The server of claim 10, where the information associated with the client device includes: at least one of an Internet Protocol (IP) address associated with the client device, a screen size associated with the client device, a screen width associated with the client device, a screen depth associated with the client device, a color resolution associated with the client device, a clock time associated with the client device, a time zone in which client device is located, or a type of operating system running on the client device.
 13. The server of claim 10, where the information associated with the user includes cookie information.
 14. The server of claim 9, where the processor is further to: adjust, when illegitimate activity is determined to be present, a fee paid or charged to a web publisher associated with the advertising link.
 15. The server of claim 9, where the group of advertising links is related to a content of a document.
 16. A system comprising: a server, including one or more computers on a network, where the server is to: receive, from a client device, an advertisement query request for an advertising link; provide the advertising link in response to the advertisement query request; obtain, in response to the advertisement query request and before the server receives an indication that the advertising link has been selected, a first group of information associated with the client device or a user of the client device; determine that the advertising link has been selected; obtain, in response to determining that the advertising link has been selected, a second group of information associated with the client device or the user of the client device; and compare the first group of information and the second group of information to determine whether selection of the advertising link is legitimate.
 17. The system of claim 16, where the first group of information and the second group of information include a same type of information.
 18. The system of claim 16, where the first group of information and the second group of information each includes at least one of: information related to a browser that is associated with the client device, information related to the client device to which the advertising link is to be provided, or information related to the user to which the advertising link is to be provided.
 19. The system of claim 16, where, when the server is to compare the first group of information and the second group of information to determine whether selection of the advertising link is legitimate, the server further is to: identify illegitimate activity when at least a portion of the first group of information and at least a portion of the second group of information do not match.
 20. A method, performed by one or more processors associated with one or more server devices, the method comprising: receiving, by one or more processors associated with the one or more server devices, a request for an advertising link; collecting, by one or more processors associated with the one or more server devices, first information related to legitimate advertising activity, where the first information includes information collected before the one or more server devices receive an indication that the advertising link has been selected, by a user of a client device, and information collected, after the one or more server devices receive an indication that the advertising link has been selected; generating, using one or more processors associated with the one or more server devices, a first distribution of legitimate information based on the first information related to legitimate advertising activity; collecting, by one or more processors associated with the one or more server devices, second information, associated with the client device or the user of the client device, during a predetermined time interval, where the second information includes information collected before the one or more server devices receive an indication that the advertising link has been selected and information collected after the one or more server devices receive an indication that the advertising link has been selected; generating, using one or more processors associated with the one or more server devices, a second distribution based on the second information; comparing, by one or more processors associated with the one or more server devices, the generated first distribution of legitimate information to the generated distribution of second information; and identifying, by one or more processors associated with the one or more server devices, that illegitimate advertising-related activity occurred during the predetermined time interval, if the generated second distribution differs from the generated first distribution.
 21. The method of claim 20, where the first information and the second information each includes at least one of: browser information relating to the client device, information relating to the client device to which the advertising link is provided, or information relating to the user associated with the client device, to which the advertising link is provided.
 22. The method of claim 21, where the browser information, relating to the client device, includes: at least one of a browser type, a browser version, information identifying whether Java® is enabled for the browser, information relating to a plugin installed on the browser, a length of a history associated with the browser, a number of Multipurpose Internet Mail Extensions (MIMEs) associated with the browser, a window width associated with the browser, a window height associated with the browser, a language associated with the browser, a JavaScript® version associated with the browser, or an order of a header of messages transmitted by the browser.
 23. The method of claim 21, where the information, relating to the client device to which the advertising link is provided, includes at least one of: an Internet Protocol (IP) address associated with the client device, a screen size associated with the client device, a screen width associated with the client device, a screen depth associated with the client device, a color resolution associated with the client device, a clock time associated with the client device, a time zone in which the client device is located, or a type of operating system running on the client device.
 24. The method of claim 21, where the information, relating to the user associated with the client device, includes cookie information. 